Forum Discussion

Ron Riedner's avatar
Ron Riedner
Copper Contributor
Feb 22, 2018

Junk Email not working in Hybrid setup

We have an Exchange 2010 on-premise with a Hybrid config to Exchange Online.  All mail coming and going out of the company is through our on-premise gateways.  The problem we are having is for mailbo...
hybrid
Christopher Lee's avatar
Christopher Lee
Brass Contributor
Feb 27, 2018

I don't think the issue is the SCL as I would expect the value to be set to -1 in a centralized hybrid deployment.  Take a look at the Authentication-Results and Received-SPF header values and it should be showing that the messages are being received from a trusted location (your hybrid servers) which automatically sets the SCL to -1.

 

EOP should still be using the individual blocked senders list though.  Are you defining the safe/block list at the organization level policy or on an individual user mailbox?  If the later, I would assume you are using Outlook to manage these lists and are relying on safe list aggregation to EOP.  If you run Get-MailboxJunkEmailConfiguration for the reference mailbox, are the correct items showing for the BlockedSendersAndDomains attribute?

Ron Riedner's avatar
Ron Riedner
Copper Contributor
May 10, 2018

Found the problem!  The receive connectors for getting the email from our gateways had Exchange Servers listed under Permission Groups.  This caused the X-MS-Exchange-AuthAs Internal header to be added when the email came in.  With this header, when the email gets forwarded on to EOP, EOP sees it and stamps it as SCL-1 which was causing the email to not go into junk.  

The fix:  Un-check Exchange Servers under Permission Groups for the receive connectors.

Lots of stuff arriving in Junk folder now.